Hacking a Car With Music

itwbennett writes "Researchers at the University of California, San Diego, and the University of Washington have identified a handful of ways a hacker could break into a car, including attacks over the car's Bluetooth and cellular network systems, or through malicious software in the diagnostic tools used in automotive repair shops. But their most interesting attack focused on the car stereo. By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car. This type of attack could be spread on file-sharing networks without arousing suspicion, they believe. 'It's hard to think of something more innocuous than a song,' said Stefan Savage, a professor at the University of California."

Hackers can turn your home computer into a bomb!

[mykos]

http://www.mopo.ca/2007/08/hackers-can-turn-your-home-computer.html

Uh, what?

[gman003]

I can accept malicious data taking over the stereo system. That's believable. What I find impossible is going from there to the rest of the car. I installed my own stereo system - the only wires involved were power and output to the speakers. That's it. Unless they can find an exploit in a 12v battery, they literally cannot get to anything automotive.

Maybe newer cars, where everything is "integrated", are different. In which case, I'm glad I bought a used '99 Talon rather than a brand-new anything.

Re:Uh, what?

Newer cars with integrated stereos hook them up to the car's CAN bus. From there all bets are off.

Re:Uh, what?

[drinkypoo]

Maybe newer cars, where everything is "integrated", are different. In which case, I'm glad I bought a used '99 Talon rather than a brand-new anything.

If your car uses the CAN-bus for stereo controls, and has only a single CAN-bus, then yeah, you can probably hack the security, which is integrated into the PCM, from the stereo.

Re:Uh, what?

[Osgeld]

can bus

http://en.wikipedia.org/wiki/Controller_area_network

course it all depends on what your car has in it, my 06 kia not a big deal as my stereo is not connected to it, much like you mention above, my mom's 2011 jeep on the other hand, you cant even unlock a door without talking on it

Re:Uh, what?

[MacGyver2210]

Even from the CAN bus your largest attack would be messing with fuel economy. The communications on the CAN bus are usually quite secluded from any form of digital engine control.

For example, the Oxygen and MAP sensors might broadcast on the CAN bus, and you may be able to spoof them so in the ECU it causes an engine light or bad fuel economy. Beyond that, the CAN bus is pretty much just information being sent about the status of things. There is usually no control taking place via those connections. All control based on those messages comes from the ECU directly.

Re:Uh, what?

[MacGyver2210]

I've never seen a keyless entry system connected to a CAN bus.

I have in no way worked on all cars out there, but that would be what we with common sense call 'poor system design'.

Re:Uh, what?

[Gordonjcp]

The fact that such a device would run arbitrary code from a music file,

It can't. There is *no possible way* that you can send a malicious audio track to mess about with the car's electronics. The article is totally on crack.

What you can do on most cars with multiplexed (CANBus) electronics is put new firmware onto various systems from a CD. Rather than recall a batch of cars to do an update, you can just pop a CD in the post. It speeds things up at the workshop, too - when my van needed an update the guy from Mercedes was able to come out to me, but I dropped by the garage since I was working nearby. Pop in a disk, turn the ignition on with the right combination of buttons held down on the stereo, and it updates the various ECUs.

My own car (1988 CitroÃn CX) has absolutely no electronics at all, except the clock on the dashboard - and that doesn't work anyway.

Re:Uh, what?

[bhtooefr]

Newer VWs have the following things all on a single CAN bus (and there actually is a justification for it):

Engine control unit
Transmission control unit
Anti-lock brakes/traction/stability control (and these can actually command the ECU to accelerate or decelerate)
Instrument cluster (this one can command the ECU to shut down, if it thinks the car is stolen)
Radio
Climate control
Central convenience module (handles remote locks, power windows, and things like that)
Airbags
Electric power steering

So, the reason for them all being connected... let's say you get into a crash.

Airbags deploy. This sends a message to the ECU to shut down, the instrument cluster that there's an airbag issue, the radio to shut down, the central convenience module to turn on the flashers, roll down the windows, and unlock the doors.

If you're not worried about malware, that makes sense, and the thought of malware attacking a radio is generally insane.

Re:Uh, what?

[PseudonymousBraveguy]

That's simply wrong. Lots of safety relevant systems, like ESP, communicate via CAN (or FlexRey in more modern cars). So, in theory, if you hijacked the whole bus you could pretty easily kill everyone inside the car. In praxis, however, it's not quite that simple. e.g. the bus driver of a FlexRay bus will electrically prevent sending any data outside of your designated timeslot, so you can't override data send by other ECUs. (Not to mention that the only place data from the entertainment system and from safety related systems will meet is probably the dashboard, and that's pretty much a dead end).

Re:Uh, what?

[gomiam]

Too many variations? Erm... Audi/Volkswagen/Seat use basically the same control software, for example, even if different revisions of it. And i'ts not like you can't put several attack vectors inside a 3-4MB file, right?

Re:Hackers can turn your home computer into a bomb

[tonyreadsnews]

LOL, funniest part about that story:

When the receiver downloads the attachment, the electrical current and molecular structure of the central processing unit is altered, causing it to blast apart like a large hand grenade

Re:Bad Programmers

[NotQuiteReal]

Why are the most ubiquitous products the most buggy?

Maybe because they (products) need to be cheap and quick to market to become ubiquitous?

Remember the old "joke"?
* Cheap
* Good
* Fast
Pick 2


There are a lot of folks who just by the latest (fast) stuff they can afford (cheap). Quality (good) doesn't enter into the equation.

Re:Attacks

[StefanSavage]

> In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.
I'd be surprised if you're not misremembering... both because we hadn't spoken publicly about concrete remote vulnerabilities before our NAS briefing and because some of this is not true. In particular, steering is not electrically intermediated on most cars (new electric cars aside) and we've never demonstrated acceleration control (engine start/shutdown, yes... acceleration no... although I'd be surprised if it wasn't possible).

Re:Bad Programmers

[Imrik]

Because they receive the most post-release testing to detect bugs.

Re:Bad Programmers

[cayenne8]

Which cd's could help you steal a car more often?

Rap

Notice I didn't say music....'cause the terms 'rap' and 'music ' are pretty much exclusive terms....

:)

That's it!

[celle]

Back to the horse and buggy everyone.
Or at least to pre '80s cars with a dumb ignition/electrical system instead of this newer butt-kissing junk.

"The more they try to overtake the plumbing, the easier it is to stuff up the drain. "
Scotty -- Star Trek III:The Search for Spock. (or was it "search for more money"?)

Re:That's it!

[billcopc]

If consumers had any say in automobile design, we wouldn't have all this bullshit in the first place. They charge us thousands for a factory stereo worth less than an hundred. They sell us all these proprietary navigation systems that get trounced by an iPhone or Android. They oh-so-cleverly forget to put in a drain plug so you have to pay the dealer $150 for an oil change.

Yeah, the auto industry is taking its cues from Wall Street: more bullshit = more money.

Re:That's it!

[ShakaUVM]

If consumers had any say in automobile design, we wouldn't have all this bullshit in the first place. They charge us thousands for a factory stereo worth less than an hundred. They sell us all these proprietary navigation systems that get trounced by an iPhone or Android. They oh-so-cleverly forget to put in a drain plug so you have to pay the dealer $150 for an oil change.

Pfft. You're stuck in the 80s.

My Nissan and my wife's Honda dealership both charge ~$24 for an oil change. I actually bought a lifetime (for the ownership of the car) all-you-can-eat oil change plan (with Synthetic) for $400, which includes oil filters, air filters, etc. It cost me $18 to have my wheels rotated, which I guess is a bit more than Walmart. /shrug.

I just put in an aftermarket stereo system (I drive 25k miles a year, and a good audio system with XM radio has become essential to me). Putting in four good speakers + head unit + XM radio + integration with steering wheel audio controls cost about $900. I quite like the result I got, but I'd have preferred getting the factory installed package. Better integration with XM radio, better reception, and a 9-speaker system. Most dealerships charge about $1000 for this, and it comes factory installed.

But my car only had XM radio installed in a mega-package that included leather heated seats, moonroof, etc., so I just did it myself.

Re:That's it!

[ShakaUVM]

>>You actually think it's reasonable that a stereo should cost more than a computer? Snap out of it.

The head unit costs a few hundred bucks, a XM radio costs more money, and good speakers cost even more.

The point the GGP was trying to make was that dealerships screw you on car audio systems, but I found they were reasonably comparative with DIY.

Though there are pros and cons on each side, I could see a reasonable person choosing to do it either way.

used to work in Windows

[dltaylor]

Microsoft Windows products have been known to scan media streams for executables, either deliberately (for installing gov't keyloggers, for example) or accidentally:

http://www.iss.net/security_center/reference/vuln/RIFF_Codec_Overflow.htm

Please Do

[dmomo]

If it will disable bass boomers in my neighborhood.

Sounds like my AV receiver

[tlhIngan]

After obtaining a service manual for my AV Receiver, firmware updates are done by using a CD player with digital out, and hooking it to the TOSlink input on the front.

Put it in a special service mode, put a specially burned CD in the CD player, and hit play. The AV receiver grabs the firmware update information off the digital input.

Presumably there's safeguards to ensure that the firmware is transferred correctly, as well as various sync signals to ensure that if you accidentally seeked at the beginning or the player skipped it would be detected.

Probably not a simple modulated audio stream since that'll be quite slow.

You wouldn't download a car

[dutchwhizzman]

Well, it appears closed source and copyrights have yet gotten me one step closer to being able to do just that.

Re:Hackers can turn your home computer into a bomb

[Mister+Transistor]

Would that be Mushroom Cloud computing?

Explain

[Fizzl]

... car's stereo system, giving attackers an entry point to change other components on the car...

Explain?
Wtf? This is just silly.

Re:Bad Programmers

[maxwell+demon]

Well, I'd not be surprised that much about audio codec vulnerabilities than about the possibility to use the radio to attack other parts of the car. The radio should be a self-contained unit which apart from speaker cables and power supply has no connection to the rest of the car.

Re:Bad Programmers

[netsharc]

Unfortunately, that's not the case. Let's see how the radio (or to be exact, the stereo system) can be wired up to other systems:

- it can be wired to the engine RPM-reader/speedometer to detect approximately how loud the environment will be, and turn its volume accordingly.
- It might want to display the current song title in the one display available in the car
- Wheel-mounted Volume/FF/Rewind/Play/Pause/Next/Prev Track controls anyone? And since that'll be a lot of buttons, they might replace it with a general 4-way joystick which do other things as well depending on the current task (car settings, navigation, stereo system)
- If a phone is attached via Bluetooth, silence/pause the current track when a call comes in/when the user wants to make a call.

Of course, all dangerous and non-essential extensions to what a car is supposed to do, but all high-end cars have them, because, well, the customer likes features!

If I were designing a car, the audio codec would get its own CPU, so any exploits would just crash/reboot that mechanism. The only critical output would be the "display song title on screen", but does the CPU that control the display also control the whole car (alarm system, etc?).

But then again, cars with navigation systems can talk, and they need another codec to decode the lady's "turn left" ogg file, and if it's "cost-savings!" they're interested in, they'd think, "oh since we already have an audio part here, let's bodge the stereo system into the equation.", and there you go, MP3 decoding being done on the system that controls the central locking.

Re:Hackers can turn your home computer into a bomb

[RockDoctor]

I was still using a 5¼ floppy well into the '90s, and recently had to re-build a unit with one, to search some "archived" data (yes, I know, which is why the "archiver" was asking me to help him out of a bind). And 14"/640x480 monitors are still functional, if inconveniently small. It makes good sense to continue using them where they are still appropriate, until they die.

Case in point : the development monkeys recently tested a product release on a 1280x1024 (or thereabouts) screen and passed it for release. On site, we "users" discovered that a critical dialog box was nearly impossible to use on the 640x480 laptop screen used for that server.
Lesson : be strict that your testing suite really is run on the minimum specification machine for that system, which will normally not be a machine in the development monkey's office.